Mobile-First Risk Scoring: A Secret Weapon for BNPL Platforms

Every Buy-Now-Pay-Later (BNPL) risk team faces the same uncomfortable truth – the product feature that makes buy now, pay later commercially viable is the same feature that makes it a prime fraud target. The decision to approve or decline a credit application has to happen in seconds, within the natural pause of a checkout flow, before a consumer abandons their basket. That real-time constraint rules out the verification methods that traditional credit products use. It also rules out any step that adds visible friction. The fraudster knows this. The product roadmap knows this. And the risk model has to navigate both.

Mobile-first risk scoring uses real-time phone number intelligence to assess the credibility of a user at the point of application or transaction, providing a fraud signal that requires no additional user action and adds no perceptible latency to the checkout experience. The mobile number submitted at account opening is not simply a contact detail. It is a binding between a person, a device, a network, and a subscriber history, and that binding carries intelligence that credit bureaus, email validators, and document checks cannot replicate. Reading that intelligence is what separates platforms that catch synthetic identities, account takeovers, and first-party fraud from those that write them off as bad debt.

Why BNPL Is a Uniquely Attractive Fraud Target

The UK BNPL market is forecast to process £27.1 billion in transactions in 2025, according to The Payments Association, with adoption concentrated among 18-to-34-year-olds and accelerating across mid-ticket retail categories. The structural features driving that adoption are also the features that create its fraud exposure.

No extended review window exists: any risk model that cannot return a signal within the checkout latency budget is commercially useless. Deferred repayment gives bad actors the window between purchase and first instalment to receive goods and disappear, which is why synthetic identity fraud gravitates to BNPL. And a fraudster who successfully exploits one provider faces a clean slate at every competitor, because behaviour that would be an obvious pattern across platforms is invisible at the individual level.

The Fraud Taxonomy: What Risk Teams Are Actually Dealing With

Cifas (which shares data, intelligence and learning around fraud prevention) recorded a total of 444,000 fraud cases in 2025, a 6% increase year-on-year, with identity fraud accounting for more than 242,000 of those case. Cifas also stated that there were more than 74,000 account takeover cases in 2024, a 76% increase on 2023. For BNPL platforms, four fraud vectors dominate:

Why Existing Tools Do Not Fit the Problem

Credit bureau checks tell a platform nothing about the phone number just submitted, and synthetic identities are specifically engineered to exploit that gap. Document verification is appropriate for high-value onboarding flows, but in a checkout environment where any visible friction increases abandonment, it is a commercial contradiction BNPL cannot sustain.

OTP verification has become a fraud surface in two distinct ways. SIM swap attacks intercept the code before it reaches the legitimate account holder, allowing account takeover without triggering any identity check. And SMS pumping through Artificially Inflated Traffic (AIT) turns OTP generation itself into a cost: bots trigger mass OTP sends to premium-rate numbers, generating fraudster revenue from the platform’s messaging budget. TeleShield addresses the telephony fraud dimension, but the deeper problem with OTPs is architectural: a mechanism designed to verify the user is now routinely weaponised against both the platform and the user. Our analysis of SIM swap and AML compliance and SIM swap fraud covers the account takeover dimension in detail.

 BNPL needs a fraud signal that is real-time, zero-friction, operates before the credit decision, and generates itself from data the platform already has. The phone number submitted at checkout satisfies all four conditions, if the platform knows how to read it.

What Mobile-First Risk Scoring Is and Why It Works

Mobile number intelligence draws on direct connections to network operators to interrogate the binding between a number and its subscriber across multiple dimensions simultaneously: current activity and subscriber status, tenure, recent porting, SIM swap history, VoIP or prepaid characteristics, and fraud-propensity signals. The result is a credibility score returned via a single API call in milliseconds, requiring nothing from the user, and checkable at any stage of the customer lifecycle without adding friction to any user-facing flow.

TMT ID’s Score product delivers this assessment across more than 60 countries using direct operator connections. It does not replace credit bureau checks or identity verification. It sits upstream of them as a first-line triage signal, concentrating scrutiny where the data warrants it and clearing low-risk users for a faster, more confident path through onboarding.

Five Ways Mobile Risk Scoring Strengthens the BNPL Decision

1. Catching synthetic identities before the credit check runs

A synthetic identity is specifically constructed to pass the checks BNPL platforms apply. The document combination is plausible, the address is real, the credit file is thin but not obviously suspicious. The phone number is frequently the weak link, because sourcing a number that carries the tenure, operator stability, and credibility signals of a legitimate long-term subscriber is considerably harder than fabricating a name or date of birth.

Fraudsters constructing synthetic identities tend to reach for recently obtained SIMs with no usage history, VoIP numbers registered to disposable services, or numbers carrying prior fraud signals. A fraud ring submitting twelve simultaneous applications with plausible-looking synthetic identities will typically show numbers registered within the last fortnight, associated with VoIP providers, and carrying elevated fraud-propensity scores. Mobile risk scoring flags all twelve before the credit check runs, before any credit exposure is taken, and before a single hard enquiry hits the bureau.

2. Detecting account takeover risk at authentication

When a fraudster takes over a BNPL account via SIM swap or credential theft, the mobile number associated with the account typically shows a behavioural anomaly before the account is exploited: the SIM has recently changed, the number has ported to a new network, or the device initiating the session does not match the number’s historical operator profile. These are signals that login authentication relying on static credentials or OTPs is structurally blind to.

Running a mobile risk check at authentication, not only at onboarding, catches these anomalies in real time. For platforms ready to move beyond OTP entirely, Authenticate enables silent device authentication, validating the device-to-number association without sending a code or requiring any user action. This removes both the fraud surface and the cost of OTP in a single architectural change. The full implementation model is covered in the Login Authentication solution.

3. Assessing first-party fraud risk at application

First-party fraud is the hardest BNPL fraud type to catch precisely because the identity is real. The intent to default is invisible in the identity layer and only becomes visible in the repayment data, by which point the goods have been received and the loss is written.

The tenure and stability profile of a phone number is a proxy for the applicant’s genuine connection to the identity they are presenting. A number active for several years, held with a consistent operator, and carrying an established subscriber status looks materially different from one registered shortly before the application. As a signal within a layered model, it adds a dimension that credit history alone cannot provide.

4. Reducing false positives for legitimate customers

A risk system that catches more fraud is commercially valuable only if it does not simultaneously block more legitimate customers. In BNPL, the cost of a false positive is direct and immediate: an abandoned checkout, a lost transaction, a customer who selects a competitor at the moment of highest purchase intent.

Mobile risk scoring functions as a confidence layer in both directions. A phone number with strong credibility signals, extended tenure, stable operator, and clean fraud history provides positive evidence for a genuine user that actively supports faster approval. The score does not only flag risk; it also identifies low-risk applicants who can be cleared with minimal additional friction. It improves precision, not just recall.

5. Enabling continuous identity assurance across the customer lifecycle

BNPL fraud does not only occur at onboarding. Deferred repayment structures create multiple risk windows throughout the customer lifecycle: the account can be legitimate at creation and compromised at any point before the first payment is due. Account takeover attacks are often timed specifically to exploit the gap between purchase and repayment, when the fraudster has maximum time to receive goods and minimum exposure to detection.

The same API call used to score the phone number at onboarding can be re-queried at every subsequent risk event, login, high-value transaction, delivery address change, repayment method update, without any change to the user experience. Authenticate and Transaction Integrity operationalise this model across the full repayment cycle, monitoring the relationship between account and phone number as an ongoing signal rather than a one-time check.

The Regulatory Dimension: Why July 2026 Changes the Calculation

BNPL platforms in the UK are not approaching a theoretical future regulatory environment. The UK government laid legislation before Parliament in May 2025 bringing deferred payment credit under FCA regulation. The regime comes into force on 15 July 2026. All third-party BNPL lenders must obtain FCA authorisation or enter a temporary permissions regime before that date to continue operating.

The FCA rules will require affordability and creditworthiness assessments before extending credit, and full Consumer Duty obligations. The intersection with fraud prevention is direct: a phone number credibility check that catches a synthetic identity at onboarding also demonstrates to the FCA that the platform applied meaningful due diligence before extending credit. Mobile risk scoring is not separate from the regulatory compliance effort. It is part of the evidence that a platform has built a risk infrastructure in line with its credit obligations.

Platforms that build robust, low-friction risk infrastructure now, meeting both fraud prevention and FCA compliance obligations with the same architecture, will be positioned to capture share from those that do not.

BNPL platforms are approaching July 2026 having to rebuild their risk infrastructure regardless. The question is not whether to invest in fraud and compliance controls, but whether those controls are designed for the real-time, mobile-native environment that BNPL actually operates in.

The phone number submitted at checkout is one of the richest identity signals available at the moment of a BNPL decision. Leaving it unread is not a neutral position. It is a deliberate exposure to synthetic identities, account takeovers, and first-party fraud that currently cost BNPL platforms revenue they will never recover. Platforms that integrate mobile-first risk scoring will find they are simultaneously better defended against the fastest-growing fraud vectors and better positioned for the regulatory environment arriving in 2026. The two objectives are served by the same architecture.